Sarbanes-Oxley Compliance and Wireless LAN ... - AirTight Networks

More documents

Recommendations

Info

AirTight Networks WHITEPAPER Sarbanes-Oxley Compliance and Wireless LAN Security with mutual authentication based on IEEE 802.1x between the client and the network. Proven Interoperability with a WPA2 or WPA-compliant RADIUS Server RADIUS servers such as Cisco ACS, Funk Software Odyssey and Meetinghouse AEGIS provide the back-end authorization capabilities for users trying to access the wireless network. They also provide a method which allows for auditing the users accessing the network. Support for Multiple VLANs with Independent Security Settings Many different types of users may need to access the wireless LAN network. Order administrators require access to the order entry and shipping systems. Accounting and finance staff require access to accounts receivable and payable as well as other financial systems. Marketing and sales teams may require access to sales performance data. Virtual LANS (VLANS) allow each authorized wireless LAN user to gain entry to only the network resources they need to access. In addition, many corporations may use barcode scanners for inventory tracking or in shipping and receiving. These types of devices often do not support today’s WPA2 or WPA security, but the less secure WEP encryption. They too can be segregated on a specific VLAN which only allows access to the specific database or application they are associated with. This, along with frequent encryption key changes and MAC address control lists, mitigates potential security risks. Password Protection and Secure Management Interfaces The wireless LAN system should support secure, authenticated methods of management. Reconfiguring the access point through the management port is one method a malicious hacker might try to access the corporate network. Wireless LAN systems should provide SNMPv3, SSH (secure Web), and SSL (secure Telnet) interfaces. Furthermore, the system should be configurable such that management is not possible over-the-air, and ideally a management VLAN is available such that only stations on a specific VLAN can modify the WLAN network settings. Intrusion Detection and Prevention Wireless intrusion detection is a limited capability of some wireless LAN systems. Only recently have wireless LAN systems been advertising the ability to detect other wireless activity and report it. Most systems simply detect the intrusion, but do not have any means to automatically prevent it. In a large enterprise environment with many hundreds of Wi-Fi devices, and with possible neighboring Wi-Fi networks, the IT organization can be overwhelmed with false alerts and miss the real security issues. More importantly, it is important to understand the implication of the infrastructure itself © 2012 AirTight Networks, Inc. All rights reserved. 4
AirTight Networks WHITEPAPER Sarbanes-Oxley Compliance and Wireless LAN Security providing the control. In wireline networking infrastructure, the control is provided by a separate system. Witness today the clear separation of firewalls and IDS/IPS solutions for the wireline market. With the extreme penalties associated with failure to comply with Sarbanes-Oxley, organizations are advised to carefully consider third generations of wireless intrusion prevention systems now available. Wi-Fi Vulnerabilities Exist, Even in a ‘No Wi-Fi’ Organization Despite all of the above precautions taken to secure the wireless LAN network, a serious security risk can still exist, exposing the organization to Sarbanes-Oxley violations. Even a “no Wi-Fi” policy is no guarantee of security against these threats. Rogue access points can be brought in by employees. Laptops with embedded Wi-Fi can connect to neighboring networks. Both are real, significant risks. Traditional wireline security methods such as firewalls and VPNs do not detect these types of threats. And once the device is behind the corporate firewall, it is viewed as trusted. In this new era of almost ubiquitous Wi-Fi, the corporate air space itself must be considered an asset and protected. The eight major categories of wireless threats are described below. Common Wireless Threats Rogue Access Points The most common, as well as most dangerous, wireless threat is the rogue access point. The rogue access point is typically a low cost, SOHO-class access point brought in by an employee who desires wireless access. The default access point settings typically have no security enabled, and thus when plugged into the corporate network create an entryway for anyone with a Wi-Fi client within range. Mis-configured Access Points For those enterprises with a wireless LAN infrastructure, one potential threat can arise from their own equipment. An access point which becomes mis-configured can potentially open up a door to the corporate network. In particular, if the access point is reset to network defaults or the security settings are turned off. If the access point is not centrally managed, then the likelihood of it going unnoticed is high. Employees will still be able to connect so no problem will be reported. Client Mis-associations Embedded Wi-Fi clients in laptops are now relatively common. Even for those enterprises with a “no Wi-Fi” policy, a Windows XP laptop with a wireless client will automatically try to connect to an SSID that it has successfully connected to before. This scenario is very common for two reasons. © 2012 AirTight Networks, Inc. All rights reserved. 5
Page 1 and 2: AirTight Networks WHITEPAPER Sarban
Page 3: AirTight Networks WHITEPAPER Sarban

Sarbanes-Oxley Compliance and Wireless LAN ... - AirTight Networks

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?